Summary
Orthanc is a Belgian, open-source, lightweight RESTful DICOM server for healthcare and medical research with an ubiquitous web interface that enables you to upload, receive and transfer DICOM images. It comes with a REST API to automate imaging flows and an SDK to integrate with native applications.
Description
The vulnerability is caused due to the usage of vulnerable collection of libraries that are part of DCMTK Toolkit, specifically the parser for the DICOM Upper Layer Protocol or DUL. Stack/Heap Buffer overflow/underflow can be triggered when sending and processing wrong length of ACSE data structure received over the network by the DICOM Store-SCP service. An attacker can overflow the stack and the heap of the process when sending large array of bytes to the presentation context item length segment of the DICOM standard, potentially resulting in remote code execution and/or denial of service scenario.
==5299== Memcheck, a memory error detector
==5299== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==5299== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==5299== Command: ./Orthanc
==5299==
W1201 17:35:34.724792 main.cpp:1235] Orthanc version: mainline (20161129T150442)
W1201 17:35:34.804810 main.cpp:1092] Performance warning: Non-release build, runtime debug assertions are turned on
W1201 17:35:35.042122 OrthancInitialization.cpp:125] Reading the configuration from: "/home/lqwrm/Subversion/orthanc/Resources/Configuration.json"
W1201 17:35:35.272799 FromDcmtkBridge.cpp:141] Loading the external DICOM dictionary "/usr/share/libdcmtk2/dicom.dic"
W1201 17:35:35.905845 FromDcmtkBridge.cpp:141] Loading the external DICOM dictionary "/usr/share/libdcmtk2/private.dic"
W1201 17:35:36.407249 OrthancInitialization.cpp:488] Registering JPEG Lossless codecs
W1201 17:35:36.417571 OrthancInitialization.cpp:493] Registering JPEG codecs
W1201 17:35:36.846619 OrthancInitialization.cpp:986] SQLite index directory: "/ssd/lqwrm/Subversion/orthanc/i/OrthancStorage"
W1201 17:35:36.999809 OrthancInitialization.cpp:1056] Storage directory: "/ssd/lqwrm/Subversion/orthanc/i/OrthancStorage"
W1201 17:35:38.247567 LuaContext.cpp:103] Lua says: Lua toolbox installed
W1201 17:35:38.319095 ServerScheduler.cpp:134] The server scheduler has started
W1201 17:35:38.332937 HttpClient.cpp:680] No certificates are provided to validate peers, set "HttpsCACertificates" if you need to do HTTPS requests
W1201 17:35:38.345479 ServerContext.cpp:181] Disk compression is disabled
W1201 17:35:38.358374 ServerIndex.cpp:1392] No limit on the number of stored patients
W1201 17:35:38.361704 ServerIndex.cpp:1409] No limit on the size of the storage area
W1201 17:35:38.688634 main.cpp:822] DICOM server listening with AET ORTHANC on port: 4242
W1201 17:35:38.715241 MongooseServer.cpp:887] This version of OpenSSL is vulnerable to the Heartbleed exploit
W1201 17:35:38.721902 MongooseServer.cpp:1027] HTTP compression is enabled
W1201 17:35:38.887721 main.cpp:757] HTTP server listening on port: 8042
W1201 17:35:38.890026 main.cpp:644] Orthanc has started
==5299== Thread 11:
==5299== Invalid read of size 1
==5299== at 0x5ECEBD: parsePresentationContext(unsigned char, dul_presentationcontext*, unsigned char*, unsigned long*, unsigned long) (dulparse.cc:389)
==5299== by 0x5EC6A0: parseAssociate(unsigned char*, unsigned long, dul_associatepdu*) (dulparse.cc:234)
==5299== by 0x5E0131: AE_6_ExamineAssociateRequest(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, void*) (dulfsm.cc:1158)
==5299== by 0x5DF125: PRV_StateMachine(PRIVATE_NETWORKKEY**, PRIVATE_ASSOCIATIONKEY**, int, int, void*) (dulfsm.cc:750)
==5299== by 0x56DF26: DUL_ReceiveAssociationRQ(void**, DUL_BLOCKOPTIONS, int, DUL_ASSOCIATESERVICEPARAMETERS*, void**, int) (dul.cc:669)
==5299== by 0x56B440: ASC_receiveAssociation(T_ASC_Network*, T_ASC_Association**, long, void**, unsigned long*, bool, DUL_BLOCKOPTIONS, int) (assoc.cc:1752)
==5299== by 0x4494B5: Orthanc::Internals::AcceptAssociation(Orthanc::DicomServer const&, T_ASC_Network*) (CommandDispatcher.cpp:439)
==5299== by 0x42D010: Orthanc::DicomServer::ServerThread(Orthanc::DicomServer*) (DicomServer.cpp:69)
==5299== by 0x43198B: void boost::_bi::list1 >::operator()(boost::_bi::type, void (*&)
--------------------------------------------------------------------------------
(47fc.40cc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Users\lqwrm\Downloads\orthancAndPluginsWin32.stable\Orthanc.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Users\lqwrm\Downloads\orthancAndPluginsWin32.stable\Orthanc.exe
eax=000000ce ebx=ffffc99c ecx=0074ae50 edx=013e3060 esi=018cf094 edi=010090ab
eip=0136c910 esp=0389eca8 ebp=0389ece8 iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
Orthanc+0xfc910:
0136c910 8a07 mov al,byte ptr [edi] ds:002b:010090ab=??
Disclosure Timeline
22.11.2016Vulnerability discovered.
28.11.2016Vendor contacted.
28.11.2016Vendor responds asking more details.
28.11.2016Sent details to the vendor.
01.12.2016Asked vendor for status update.
01.12.2016Vendor confirms the vulnerability both under Windows and Linux.
02.12.2016Vendor creates patch for DCMTK 3.6.0 and for Windows service.
13.12.2016Vendor releases version 1.2.0 to address these issues.
16.12.2016Coordinated public security advisory released.